does KIS log blocked network attacks?

[voseco]

In the logs of the anti-intrusion module, there is nothing but service started/stopped, service started/stopped, ...

the logs do not have any mention of a prevented intrusion or network attack

does this mean nothing was ever blocked or are attacks not logged?

 

[Flood and Flood's wife]

1 hour ago, voseco said:

In the logs of the anti-intrusion module, there is nothing but service started/stopped, service started/stopped, ...

the logs do not have any mention of a prevented intrusion or network attack does this mean nothing was ever blocked or are attacks not logged?

Hello @voseco

Welcome back!

1. KIS is Kaspersky's *old* software, it's been replaced by Kaspersky STANDARD, Kaspersky are offering a *free* upgrade, *read*, Kaspersky: Basic, Standard, Plus, Premium - info & FAQ, by Kaspersky - Danila T.
2. The Kaspersky Standard download link is: https://www.kaspersky.com/downloads#update-product.
3. Intrusion Prevention and Network Attack Blocker, are 2 different modules.
4. KIS doesn't have Intrusion Prevention, in KIS the same module is called Application control -> *which* Kaspersky software is *actually* installed: on Windows Task-manager *Hidden-icons*, rightclick the Kaspersky icon, select About, post back the About information please? 
5. IF / when network attacks are active - they'll be logged in the Network Attack Blocker Report - *read* -> Network Attack Blocker Report. 
6. *Read*: Reports window                                                                                                                                                    
7. IF / When there's an attack there may be events logged similar to: "DoS.Generic.Flood.TCPSYN, the same minute as one of the Scan.Generic.PortScan.TCP notifications."
8. *IF (your) report window shows *no* events it may mean there are no events OR possibly, the 'Save in Local Report' option has been unchecked - check in configure Notifications: 

Understanding the Notifications
Scan.Generic.PortScan.TCP: This notification indicates that Kaspersky detected what it interprets as a port scan. Port scans are commonly used to check which ports are open and listening for incoming connections on a device. This action in itself is not necessarily malicious, as some network processes (especially legitimate ones within your own network) might trigger this alert.

DoS.Generic.Flood.TCPSYN: A DoS (Denial of Service) flood attack notification means that Kaspersky detected a surge in SYN (synchronization) packets. A SYN flood attack typically involves an attacker trying to overwhelm a device by sending a high volume of connection requests. Since resetting your router to factory defaults and updating passwords, this particular notification hasn’t returned, which is a good sign.

Analysis of Your Situation
Given that both notifications refer to your router’s MAC address and you've taken steps like factory resetting and changing passwords, here are some possible explanations:

Router Scanning Internal Network: Some routers have built-in features to scan internal networks for active devices and may periodically query connected devices, which can trigger port scanning alerts. These scans are usually benign.

Network Monitoring Services: Certain services on the router may actively monitor the network, especially if you have advanced settings enabled, which could trigger TCP scans. Some routers may do this to detect devices on the network or check connectivity and traffic flow.

False Positives: It’s possible that Kaspersky is misinterpreting regular network behavior as a port scan. Many antivirus and security software suites may flag standard network activities as potentially suspicious, especially on a local network where a device (in this case, the router) frequently communicates with multiple devices.

Steps to Address the Issue
Check Router Logs: Access your router’s admin interface and look at the log settings to see if there are any scans or active network monitoring events that might correspond with the timestamps of the notifications.

Disable Unnecessary Router Features: If your router has network management or scanning features, try disabling them temporarily to see if the notifications stop. Look for settings related to Network Discovery, Diagnostics, or Intrusion Detection.

Adjust Kaspersky’s Network Settings: Also as Wesly.Zhang says to In Kaspersky Premium, you can customize the settings for Network Attack Blocker. Adding your router to a trusted devices list or lowering the sensitivity of attack detection for the local network could reduce these alerts if they are indeed false positives.

Run a Manual Security Scan: If you haven’t already, run a full security scan on all devices connected to the network to ensure there aren’t any infected devices that could be inadvertently sending out suspicious packets.

Observe and Monitor: Since you’ve already taken effective measures (resetting and updating passwords), keep an eye on the notifications. If the frequency decreases or the alerts stop altogether, it’s likely that these were routine scans or a temporary anomaly.

When to Take Additional Action
If these notifications continue and you notice any unusual network behavior—such as significantly reduced performance, new unknown devices appearing on your network, or more attack alerts targeting different MAC addresses—then it might be worth deeper investigation by Kaspersky Customer Service, Kaspersky Support: https://support.kaspersky.com/b2c#contacts.

Thank you🙏
Flood🐳+🐋

Edited 5 hours ago by Flood and Flood's wife
added images